News 
Enable HSTS in Windows Server 2016 by adding the Strict-Transport-Security header to the IIS site’s HTTP response headers and binding it to HTTPS.
If you’re running websites on Windows Server 2016 with IIS, you likely want to take advantage of HTTP Strict Transport Security HSTS to prevent downgrade attacks and cookie hijacking. In this guide, you’ll get a practical, step-by-step approach to enable HSTS on IIS both via the UI and PowerShell, what values to set, how to test it, and best practices including subdomains and preload. We’ll also cover rollback and common pitfalls so you can roll out safely.
What you’ll learn in this guide:
- Why HSTS matters and the key terms you’ll see max-age, includeSubDomains, preload
- Prerequisites and quick checks before enabling HSTS
- Step-by-step IIS Manager instructions to set the header
- PowerShell method to add the header for automation
- How to test and verify the header is being sent
- How to enable SubDomains and optional preload, and what that implies
- Rollback steps if you need to disable HSTS
- Real-world tips and potential gotchas
Useful URLs and Resources text only:
- Microsoft IIS Documentation – docs.microsoft.com
- Configure HTTP Strict Transport Security HSTS in IIS – docs.microsoft.com
- HSTS and IIS: Official guidance – docs.microsoft.com
- HSTS Preload List – hstspreload.org
- Mozilla Observatory – observatory.mozilla.org
- OWASP Secure Headers Project – owasp.org
- SSL Labs Best Practices – ssllabs.com
What is HSTS and why you should enable it
- HTTP Strict Transport Security HSTS is a web security policy mechanism that helps protect websites against protocol downgrade attacks and cookie hijacking. When a browser visits a site that has HSTS enabled, the browser will only interact with the site using HTTPS for a specified period max-age. This means any future attempts to access via HTTP are automatically redirected to HTTPS, reducing the risk of man-in-the-middle attacks.
- Why this matters: by enforcing secure connections, you reduce the attack surface for eavesdropping, cookie theft, and session hijacking. It’s especially important for login pages, admin consoles, and any endpoints that handle sensitive data.
- Core terms to know:
- max-age: the time in seconds that the browser should remember to use HTTPS only commonly 31536000 seconds = 1 year
- includeSubDomains: applies HSTS to all subdomains
- preload: a directive that allows you to submit your domain to the HSTS preload list used by major browsers. once approved, you can’t easily disable HSTS for the lifetime of the preload entry
Prerequisites before enabling HSTS on Windows Server 2016
- Ensure you have a valid TLS certificate installed and that all sites you plan to cover support HTTPS with valid certificates.
- Your server should be running Windows Server 2016 with IIS 10 or later.
- Confirm that every subdomain you intend to cover if you plan includeSubDomains also supports HTTPS. If a subdomain serves HTTP only or uses a misconfigured TLS certificate, users can be blocked from accessing that subdomain.
- Plan for rollback: know how you’ll remove the header or set max-age to 0 if you need to revert.
Step-by-step: Enable HSTS via IIS Manager UI
- Open IIS Manager
- Open Server Manager > Tools > Internet Information Services IIS Manager.
- In the Connections pane, expand your server and select the website you want to secure with HSTS e.g., Default Web Site.
- Confirm HTTPS bindings
- Click Bindings… in the right-hand Actions pane.
- Ensure you have an HTTPS binding port 443 with a valid certificate. If not, add one now.
- Add the HSTS header
- In the Features view for the site, double-click HTTP Response Headers.
- In the Actions pane, click Add.
- For Name, enter Strict-Transport-Security
- For Value, enter max-age=31536000. includeSubDomains
- Click OK.
- Optional: add preload directive
- If you’re considering browser preload, you can append . preload to the value: max-age=31536000. includeSubDomains. preload
- Note: Preloading is a one-way decision once browsers start honoring it, so only enable after thorough testing and with a plan to maintain HTTPS across all subdomains indefinitely.
- Test the header
- Open a browser and navigate to your site using HTTPS.
- Use developer tools or curl to verify the header is present in responses:
- curl -I https://yourdomain.com
- Look for: Strict-Transport-Security: max-age=31536000. includeSubDomains
- Validate across subdomains
- If you added includeSubDomains, test a subdomain e.g., https://sub.yourdomain.com to ensure it’s served with a valid TLS certificate and reachable via HTTPS.
Step-by-step: Enable HSTS via PowerShell automation
PowerShell is great for automation, especially when you’re applying HSTS to multiple sites.
Code example UI-agnostic approach:
Import-Module WebAdministration
$headerName = "Strict-Transport-Security"
$headerValue = "max-age=31536000. includeSubDomains"
# Apply to a specific site replace 'Default Web Site' with your site name
$sitePath = "MACHINE/WEBROOT/APPHOST/Default Web Site"
# If applying to all sites, you can target MACHINE/WEBROOT/APPHOST and loop through sites
# Add the custom header
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/httpProtocol" -name "customHeaders" -value @{name=$headerName.value=$headerValue}
Verification:
- Get a fresh response header:
- Look for Strict-Transport-Security in the output
Rollback or disable HSTS quickly
- If you need to disable HSTS, remove the header:
Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter ‘system.webServer/httpProtocol’ -name ‘customHeaders’ -value @{name=’Strict-Transport-Security’} - If you want to temporarily reduce enforcement, you can set max-age to 0:
Update header to disable by setting max-age to 0
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter ‘system.webServer/httpProtocol’ -name ‘customHeaders’ -value @{name=’Strict-Transport-Security’.value=’max-age=0′}
Observability: monitor impact after enabling
- Check analytics and error logs for any unexpected user impact.
- Ensure no subdomains are unexpectedly inaccessible due to certificate or TLS misconfig.
- Use security headers testing tools e.g., security headers checker to confirm the header is present and correctly configured.
Header values and a quick reference table
| Setting | What it does | Recommended value |
|---|---|---|
| max-age | How long the browser should enforce HTTPS | 31536000 1 year or longer for strong security |
| includeSubDomains | Apply HSTS to all subdomains | Yes, if all subdomains support HTTPS |
| preload | Opt-in to browser preload lists | Use only after thorough testing and subdomain readiness |
Best practices and safety tips
- Start with a conservative rollout: enable HSTS on a single site first, verify behavior, then apply to additional sites.
- Ensure all subdomains are HTTPS ready before using includeSubDomains with a long max-age.
- Prefer 2048-bit or higher TLS certificates and enable modern TLS ciphers to avoid downgrade or vulnerability risk.
- If you plan to preload, ensure compliance with the preload requirements on hstspreload.org, and only submit after your domain and subdomains are HTTPS ready.
- Document your rollback plan and test it in a staging environment before production changes.
- Monitor user feedback and error rates after enabling HSTS to catch edge cases quickly.
Common pitfalls to avoid
- Enabling HSTS on domains that still serve HTTP can lock users out. Always ensure HTTPS is active across the entire site.
- Adding includeSubDomains without securing some subdomains can cause faults for users trying to reach those subdomains.
- Preload is intense: once approved, you’ll need to maintain HTTPS for all subdomains for the long term. removal is not quick.
- Misconfiguring the header value can lead to inconsistent behavior across browsers. test across major browsers.
Real-world tips
- Use a staging environment to enable HSTS first, then roll out to production after confirming the header is emitted on all responses.
- If you rely on third-party services hosted on subdomains, coordinate with those teams before enabling includeSubDomains.
- Consider a staged max-age, such as starting with 6 months 18336000 seconds and then increasing to 1 year after stability.
Frequently Asked Questions
What is HSTS in simple terms?
HSTS is a policy that tells browsers to always use HTTPS for a site for a defined period, preventing insecure HTTP connections.
Why would I enable HSTS on Windows Server 2016?
Enabling HSTS helps protect users from protocol downgrade attacks and cookie hijacking by enforcing secure connections.
Can I enable HSTS for all sites on the server at once?
Yes, you can apply the header to multiple sites, either via IIS Manager for each site or by using a PowerShell script to loop through sites and apply the header.
What should the max-age be set to?
A common recommended value is 31536000 1 year. Some admins choose longer periods when confident in long-term HTTPS coverage. avoid very short max-ages for production if you’re ready for stricter security.
Should I includeSubDomains?
If you control all subdomains and they are HTTPS-ready, includeSubDomains makes sense. If not, start without it and add later after validation. Discover your dns server on mac a step by step guide to find, view, and test dns settings on macOS
What about preload? Is it worth it?
Preload has benefits for browsers to enforce HSTS from the first visit, but it requires strict readiness across all subdomains and ongoing HTTPS maintenance. Only enable preload after thorough testing and validation.
How do I test that HSTS is working?
Use curl or browser dev tools to verify the Strict-Transport-Security header is present on HTTPS responses. Example: curl -I https://yourdomain.com. look for Strict-Transport-Security in the response headers.
How can I disable HSTS if needed?
Remove the header from the site’s HTTP response headers or set max-age to 0. A full rollback involves removing the header configuration from IIS.
Will HSTS affect non-browser clients or bots?
HSTS is primarily a browser feature. Non-browser clients might not strictly enforce HSTS unless they honor the header. test critical clients to ensure no disruption.
Does HSTS affect subdomains using different TLS configurations?
Yes, if includeSubDomains is enabled, all subdomains must serve HTTPS with valid TLS. Any misconfiguration on a subdomain can cause access issues for users. How To Index A Column In Sql Server A Step By Step Guide: Indexing, Performance, And Best Practices
How long does it take for HSTS changes to take effect?
Browsers honor max-age immediately after receiving the header, but the persistence lasts for the duration of max-age. Preload implications depend on submission and browser adoption timelines.
Can I apply HSTS to a specific site while leaving others unaffected?
Yes. Use the IIS Manager or targeted PowerShell commands to apply the header to selected sites only.
What are the consequences of a misconfigured TLS setup on subdomains?
If a subdomain has an invalid certificate or missing HTTPS, users won’t be able to reach it under HSTS with includeSubDomains. you’ll need to fix the TLS issue before enabling includeSubDomains.
Are there performance impacts from HSTS?
The performance impact is minimal. the header is a small response header. The real benefits come from improved security and reduced risk of downgrades.
How do I verify browser support for HSTS on my site?
Most modern browsers support HSTS. You can verify by checking response headers and using the HSTS preload testing page on the preload site to confirm readiness. Get the Best Alternate DNS Server IP Step by Step Guide to Improve Speed, Privacy, and Reliability
Should I enable HSTS on development environments?
It’s typically best to enable HSTS only on staging/production environments or restrict it with separate hostnames to avoid accidental lockouts during development.
Step-by-step quick-start recap
- Ensure you have HTTPS running with a valid certificate on Windows Server 2016 IIS.
- In IIS Manager, add a HTTP Response Header named Strict-Transport-Security with value max-age=31536000. includeSubDomains and optionally . preload.
- Test with curl to confirm the header is present in responses.
- If you want automation, apply via PowerShell using Add-WebConfigurationProperty for system.webServer/httpProtocol.
- If you plan preload, review the requirements on hstspreload.org and prepare across all subdomains for HTTPS.
- Maintain a rollback plan to disable or reduce enforcement if needed.
Note: This guide focuses on Windows Server 2016 with IIS 10. If you’re on a newer Windows Server version or running additional reverse proxies in front of IIS like ARR, Nginx, or a CDN, you may need to apply HSTS at those layers as well and ensure consistency across all paths.
End of guide.
Sources:
Wevpn 在中國可用的完整指南:如何選擇、設置與最佳使用實踐 How to add bots to your discord server on pc the ultimate guide to Setup, Permissions, and Tips
Netflix vpn土耳其:完整指南通过 VPN 访问土耳其 Netflix 库并保障隐私
How to close your currys account and what happens to your vpn services
中国国际机场vpn 使用指南:机场Wi-Fi 安全、隐私保护、速度优化与解锁内容
Vpn 梯子网站 使用指南:VPN、翻墙、隐私保护、跨境访问与测速对比
Creating a database in microsoft sql server 2012 a step by step guide to database creation, SSMS, and best practices